Policy Considerations Building on the C2 Consensus on IoT Device Security Baseline Capabilities
Since the Council to Secure the Digital Economy (CSDE) first published its C2 (“Convene the Conveners”) Consensus document in September 2019, the societal and economic benefits of the Internet of Things (IoT) have only increased, thanks to the explosive growth of the IoT itself. This technological evolution is being fueled by enhanced broadband connectivity, new product innovations and the growing role of digital infrastructure across all domains. With the growth of the IoT, however, comes an increase in the diverse and rapidly changing security threats. The IoT has a complex nature in terms of multiple sectors, business models, attack surfaces, threat vectors, technical infrastructure, and risk environments. In combination with its widespread deployment across networks and rapid growth, these elements of complexity drive the need for effective security solutions. These concerns have sparked numerous cross-industry, consensus-driven approaches and standards efforts aiming to promote the security and the resilience of the IoT Device ecosystem, and related domains.
This diversity of efforts in addressing IoT security challenges was an important motivator for CSDE’s C2 Consensus project. The C2 effort convened a broad range of technical experts from many groups to develop a common set of technical security guidelines. This effectively created a consensus ‘baseline’ of connected device security capabilities. These consensus capabilities were then mapped to equivalent capabilities defined in other important standards and guidelines, tying the various standards together in one document. This mapping also proved how closely the various “minimum expectations” requirements around the globe can be aligned.
CSDE offers this document summarizing these core IoT Security policy principles. While not the product of CSDE itself, we highlight them to show the broad agreement on key security approaches among leading organizations across the information and communications technology (ICT) sector. In consolidating these efforts, this document can serve as a resource and further highlight how industry consensus-driven efforts on baseline security capabilities for IoT Devices efforts, such as the C2, can beneficially inform the conversation. The document is not an exhaustive view of these principles, which may evolve with time, but rather serves to highlight the common themes.